If all you want to do is authenticate users within a 3000 group to an external ACS server, then set the group to Internal (yes, Internal) on the 3000. Disregard the wording on this screen, it just confuses everyone. Go back in and modify this group and you'll find you have extra tabs that you can set. Under the IPSec tab, set Authentication to Radius. That's all you need to do, and is the correct way to do it.
Setting the 3000 group to External means you want to configure all the group parameters on an external ACS server, not that you want to authenticate users in that group to an external server. You'll notice that when you set it to EXternal, most of the configuration tabs disappear, that's because the 3000 is assuming that you're going to configure everything on the ACS server and send it down. If you do this (and you can, it's just that most people dont), then yes, you need to create a user on ACS with the 3000 group name and password, and send back all the 3000 group attributes back. Add the 3000 as a Cisco VPN3000 NAS into ACS, then go under Interface Config - Radius (Cisco VPN3000) section, and check all the attributes in the User column. Now when you modify the 3000 user, you'll be able to set all those 3000 group attributes just as if you were in the 3000 GUI, these will be returned to the 3000 when it tries to authenticate the group user/password, and everything will work normally. Again though, not many people do this, and most people just get confused with the Internal/External setting.
To repeat, if you just want to authenticate VPN users to the external Radius server, set the 3000 group to Internal and under the IPSec tab set Authentication to Radius.
If you really want to define all group parameters on the ACs server, then, and only then, set the 3000 group to External and make sure the ACS server is set up to send back all those group parameters as Radius attributes.
